This tweet highlights a critical security issue where browser vulnerabilities can bypass web application firewalls (WAFs) and other edge protection mechanisms. The tweet states that WAFs see only 'clean requests,' meaning the malicious payloads are not detected at the network edge because they are hidden or transformed at the browser level. As a result, the origin servers end up processing the malicious payloads, potentially leading to successful attacks despite the presence of edge security measures. This kind of bypass is universal and can affect any WAF vendor, including AWS WAF, Imperva, F5, Cloudflare, Azure WAF, and Google Armor. The key takeaway is that relying solely on WAFs and edge protections is insufficient. It is essential to also ensure security at the application and browser level, implementing comprehensive security measures to detect and mitigate such browser-based attack vectors.
https://twitter.com/EdgeDetectOps/status/2039493237488984415